Method and apparatus for assessing the security of a computer system

ABSTRACT

A method and apparatus performs a security analysis on a computer system to identify, notify, and possibly correct, vulnerabilities and discrepancies. The security system includes a number of security tools and utilities in order to perform these functions. The security system includes the capability to identify the system configuration and once this is done performs different processes to analyze the computer system directories, locate vulnerabilities in the files or directories, check the network access, do analysis of the users or groups which have access to the computer system and check the permissions which these parties have been granted, and analyze passwords of the users. The utilities include the functionality to permanently remove files from the computer system, mark particular files to be analyzed, as well as schedule the security tests to be performed at predetermined times.

RELATED APPLICATIONS

The present application is a continuation of U.S. patent applicationSer. No. 09/834,334, filed Apr. 12, 2001, which is a continuation ofU.S. patent application Ser. No. 09/333,547, filed Jun. 15, 1999, nowabandoned, which claimed priority to U.S. Provisional Patent Application60/091,270, filed Jun. 15, 1998; these disclosures are incorporated byreference herein.

FIELD OF THE INVENTION

The invention described herein relates to a method and apparatus foranalyzing a computer system and identifying security vulnerabilities,and more specifically to a method and apparatus for performing a seriesof procedures which identify security vulnerabilities and discrepanciesin the computer system and in some cases suggesting and implementingcorrective action.

BACKGROUND OF THE INVENTION

As the use of computers has grown over the years, especially inbusiness, there has been a growing need to develop computer systemswhich allow a number of individual computer users to communicate viatheir computers, and have access to common repositories of data. Onesolution had been to have all users within an organization connect to asingle large main frame computer employing terminals with minimalprocessing capabilities. Another solution has been the development ofserver technology which allows a number of individual computers toconnect to a central computer, i.e. server, which includes operatingsystems for a number of core functions for the network such as e-mail,common data bases, as well as a number of functions which are commonlyemployed by these computers connected to the network.

One advantage of employing server technology is that connections may beestablished to the server through a number of different modes. A firstmode is a direct connection, such as through a local area network (LAN).The second type of connection may be made via a phone line from aremotely located computer. A connection may be established using thepublic switch telephone network (PSTN) with the server especiallyadapted to provide a telephonic connection. A third mode is a connectionestablished to the server made over the Internet. With a connectionestablished in this manner, system users browsing the web may accessinformation stored on the server.

With these different modes to establish connections, it may be importantto protect the information stored on a server from unauthorized access.Certain protections already exist such as requiring passwords whenlogging onto the server and restricting access to particular types ofinformation only to designated parties.

SUMMARY OF THE INVENTION

The inventors have recognized that although many computer systems todayinclude certain safeguards, such as passwords, for restricting access tothe server and information contained therein, it is possible that theseprotections may be overcome. The inventors have further recognized thatsecurity vulnerabilities in a computer system may be identified andcertain procedures may be performed within the computer system to reducethese vulnerabilities.

Described herein is a security system which identifies securityvulnerabilities and discrepancies for a computer system. In some casesthe security system may suggest corrections or provide fixes for theidentified vulnerabilities and discrepancies. The computer system onwhich the security system resides may include a processor and anoperational memory which contains all data which is to be analyzed bythe security system described herein. The processor may direct a numberof processing modules in the security system which perform variousoperations with regard to analyzing the computer system. The securitysystem may also include a database which contains portions of data whichmay be employed by the processing modules in order to perform thevarious analyses of the computer system.

In one aspect of the invention, the security system includes at leastone security module which analyzes files and directories resident in thesystem memory. The system may further include at least one utilitymodule which may be employed to alert a system user to detectedvulnerabilities, and provide corrective suggestions, and then implementthe corrections when so directed. Included as part of the securitymodules may be a configuration detection device which analyzes thesystem to determine a configuration and locate any unusual features.Once the configuration of the computer system has been determined, adirectory check module function may be employed which detects securityflaws that may have developed in the file system of the computer anddetermines if any, “security critical” files have been tampered with. Apassword security module may examine the passwords of the users withaccess to the computer system to detect insecure password choices. Anetwork check module performs a number of processes to determine thevulnerability of the computer system when access may be gained via adata network.

Another security module may perform an integrity check which searchesfiles in the computer system's operational memory and makes comparisonsagainst a store of known vulnerabilities. A user manager module performsan analysis of user accounts with regard to files and directories foundin the operational memory. The user check may identify improper orinvalid permissions and ownerships, associated with files analyzedtherein.

In another aspect of the invention, the system may further comprise anumber of utility modules which supplement or otherwise assist theoperations of the security modules. The utility modules may include auser manager module which may further include functionality to edit,create or delete user accounts or templates stored in the system memory.A file removal module may provide for the permanent removal of filesfrom the operational memory. A file may be overwritten with apredetermined pattern such that no trace of the file may be identified.A marking module, may provide the functionality to manually mark certainfiles which are deemed to be critical. This marking function enables thedirectory check to perform an analysis on this particular file to detecttampering when the directory check module is activated.

Further functions may be included in the security system to selectivelyactivate particular tools, schedule the automated performance offunctions, or provide reports to the system user in a number ofdifferent formats.

Numerous modifications and additions will be apparent to those skilledin the art upon further consideration of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 discloses a system diagram for the security system.

FIG. 2 discloses a system diagram for the configuration detectionsubsystem.

FIG. 3 discloses a system diagram for the directory checker module.

FIG. 4 discloses a system diagram for the user manager module.

FIG. 5 discloses a system diagram for the integrity check subsystem.

FIG. 6 discloses a system diagram for the network check module.

FIG. 7 discloses a system diagram for the password checking module.

FIG. 8 discloses a display graphic presentable on the GUI.

FIG. 9 discloses a flow chart which describes the operation of thedirectory checker module.

FIG. 10 discloses a flow chart which describes the operation of the usermanager module.

FIG. 11 discloses a flow diagram which describes the operation of theintegrity check module.

FIG. 12 discloses a flow chart which describes the operation of thenetwork check module.

FIG. 13 discloses a flow chart which describes the operation of thepassword checking module.

FIG. 14 discloses a flow chart which describes the operation of the fileremoval module.

FIG. 15 discloses a flow chart which describes the operation of the filemarking module.

DESCRIPTION OF PREFERRED EMBODIMENTS

Described herein is an apparatus and method for identifyingvulnerabilities and discrepancies in a computer system, and in somesituations, suggesting and implementing corrective action. The systemdisclosed herein is arranged in a modular/integrated form and consistsof a number of securities tools and utilities, as well as a number ofreporting functions. Each module may test a different aspect of thecomputer security. The method and apparatus described herein focuses onthe internal security of the system, locating security problems that canbe detected. The system identifies vulnerable configurations and, insome situations, provides instruction on how to repair particulardiscrepancies or detected breaches.

Disclosed in FIG. 1 is a system diagram which describes a computersystem within which the system described herein may operate. In oneembodiment of the invention, the computer system may be implemented in aserver-type computing device, such as a Unix server with connections toa data network. One connection established to the server may be at leastone graphical user interface (GUI) 18 as part of a local area network(LAN). Connections may also be remotely established over the publicswitched telephone network (PSTN) 9 through a modem device incorporatedin the server. The server may also include an Internet connectionthrough which users may establish a connection. The security systemdescribed herein may be employed by other remotely located servers whichare connected via the data network to the server upon which the securitysystem is resident.

Returning to FIG. 1, the server 10 may include a processor 12 whichdirects the processes performed by the server. In connection with theprocessor 12 is an interface device 14 which provides connections toPSTN 9, data network 16, and GUI 18. Although only one GUI is disclosedin the figure, one skilled in the art would know that multiple GUI's maybe connected to the server as part of the LAN. The interface may furtherinclude a modem device for establishing connections over the PSTN.

Also, in connection with the processor 12 is the computer systemoperational memory 13 which contains all the system's directories andfiles which the security system will perform security operations upon.Also, in connection with the processor are the processing modules 15which perform the various security, utility, and administrativefunctions. These modules will be discussed in greater detail below.Finally, during the performance of the various functions certaininformation may be required in order to perform these processes. Thisinformation is stored in database 30.

As seen in FIG. 1 the security system processing modules 15 comprise anumber of security and utility modules for performing a variety ofoperations with regard to the computer system. The following is a briefdiscussion of the operation of each module.

In order for the security system to operate on a particular computersystem, an analysis of the system must be performed as a preliminarymatter. As part of this process, the configuration/setup module 17identifies files that are “critical” to the computer system and locatesany unusual features. This particular module only needs to be operatedonce upon installation in the computer system. In one aspect of theinvention, the configuration/setup module is completely stand alone andmay not generate a report.

Disclosed in FIG. 2 is a system diagram for the configuration/setupmodule in which the configuration detection subsystem 38, which is acomponent of the configuration/setup module, accesses a number of filesin the system memory, such as the file system table of contents 40, thesystem configuration files 42, and the system environmental variables44. Based on the information accessed, a configuration baseline 46 isgenerated and stored in memory such that it may then be employed by theother modules of the security system.

During operation of the security system, the directory checker module 18searches for computer flaws that develop in the file system of acomputer over a period of time and detects if “security critical” fileshave been tampered with. When a particular security problem isidentified, the system administrator for the server is prompted for aquick fix, and if the program is capable of providing one, all theinformation associated with security problems, both corrected anduncorrected, is then forwarded to a reporting module for the securitysystem. Certain things that the directory check module searches forinclude: globally read/writable directories, executable files that canbe globally modified, protected files that have changed permission,newly created files, protected files that have changed ownership orgroup, protected files that have been deleted, protected files that havebeen tampered with, incorrect device driver permissions, tamper devicedriver permissions, incorrect device ownership, and insecure permissionsor ownership of operating system files.

Disclosed in FIG. 3 is a system diagram for the directory check module18. The directory check module receives data from two sources. The firstbeing the security system database 30 and the second being file systemdatabase 42, which is a listing of files and directories in the systemmemory including pertinent information relating file or directoryownership, group ownership, and times in which any changes were made tothe file or directory. Upon completion of the analysis, a report may beissued via report module 29.

The directory check module may also examine individual file permissionsfor nonstandard configurations. System files are compared against thedatabase of suggested permissions for these files. If the files on thecomputer differ from files in the database, a prompt may be generated tochange the files' rights to those suggested by the security system.

The user manager module 20 is employed to identify improper or invalidpermissions and ownerships associated with files. The module identifiescommon misconfigurations and provides reports as to any anomaliesdetected. The user manager further provides the capability to provideeasy access to user account creation, creation of multiple groups, andsystem wide searches for user account vulnerabilities. The featuresperformed by the module include creation of new accounts, creation ofnew user groups, searching of home directories for improper ownership,searching for nonexistent home directories, searching home directoriesfor improper groups, and searching home directories for improper orinsecure files related to some users.

A system diagram for the user manager 20, is disclosed in FIG. 4. Inorder to perform its functions, the user manager accesses a number ofdifferent databases. One database is the user list 50. This listcontains a list of all users currently having permission to access thecomputer system. The default users template 52 contains all of thepermissions given to the particular users to access particular fileswithin the system. The file system table of contents 54 includes alisting of all files in the system with permissions which are granted toeach.

The user manager includes the capability to create new user accounts oruser groups, as well as make amendments to user templates and filesystem table of contents. User list 56, default user template 58 andfile system table of contents 60, are all updated versions of theseitems following the procedures performed by the user manager. Any itemsworth noting during the processes performed by the user manager areoutput via the reporting system 29.

The integrity checker module 22 performs an analysis of the computersystem in order to find security holes located therein. The analysisperformed may find vulnerabilities in such things as: the type ofcomputer/operating system used, the access privileges of files, theowner of the files, the group of the files, the date of the files, or aversion number for a send mail program. This integrity checker modulemay provide such items as file name, nature of security hole, and wherea system administrator may locate additional information on theparticular problems detected. The integrity check module 22 searches forpre-existing security problems by cross-referencing against avulnerability database which is stored in local memory.

Disclosed in FIG. 5 is a system diagram which includes the data storesaccessed by the integrity check module 22. As described above, theintegrity check module is employed to analyze the computer system andidentify vulnerabilities and discrepancies. Data to be analyzed isretrieved from the file system table of contents 72 which includes alisting of files to be analyzed. Also in connection with the integritymodule is the vulnerability database 70 which includes a listing ofpotential vulnerabilities. Items contained in the vulnerability databasewhich are employed when analyzing a file, may relate to age, owner,permissions, existence and group. Any vulnerabilities or discrepanciesdetected during the process are output via the report subsystem 29.

The network check module 24 performs various analyses to detectvulnerabilities which may occur due to a computer or server beingconnected to a network. The checks which may be performed include:checking vulnerable configuration files, detecting excessive systemservices, and checking for promiscuous mode operations on the networkinterface. The network check may display all services running on thenetwork and include those not registered with the Internet Daemon.

Disclosed in FIG. 6 is a system diagram which includes the elements ofthe system accessed by the network check module. In order to check thevulnerability of the configuration files, access is gained to the systemconfiguration files 42. In order to check other system characteristicssuch as promiscuous mode operations, the operations of the networkinterface 14 are analyzed. The identification of excessive systemservices may be determined through analysis of a number of componentssuch as the network interface, the processor, and a number of differentfiles stored in memory. Upon completion of the above-describedprocesses, a report may be issued to the system through employment ofreporting system 29.

The password checking module 26 is employed to examine DES-encryptedpasswords associated with each user to locate weak password choices orthose easily guessed. This tool may be employed to test the strength ofa system front end security, as weak passwords can easily compromise thesystem. The password checking module may perform such functions as “samesalting,” integration of “similar salts,” filtering of words to generatepseudo words often used as passwords, GCOC password guessing todetermine the technique used by the system administrator when handingout new accounts, and large common nonrepetitive dictionaries so thatmultiple dictionaries that don't contain duplicate words can be used fortesting.

A system diagram for the password checking module is shown in FIG. 7.The module receives data input from two sources. The first is thepassword file or resume file 80 which contains all passwords for theusers in the system. The second data input is from the word list 82which includes all of the information to be employed by the passwordchecking module including dictionaries. Output from the module is a listof insecure passwords 83 which are identified from the analysis, as wellas a resume file 84.

The remaining processing modules relate to performing various utilityand administrative functions. Under the direction of a system user,various files and directories in the system memory may be identifiedthrough the use of the modules various functions performed with regardto these items. The user manager 20, may be employed to generate,delete, or edit user or group directories. Further, the user manager mayprovide specifics for a selected user, such as user name, UID, groupname, GCOC's s-field, home directory, shell, and password. The usermanager templates can be used to create user accounts for users whoshare common requirements on a system.

The file removal module 27 provides functionality to permanently deleteselected files. This is accomplished by overwriting the file with bitpatterns and text multiple times and then verifying that the informationhas been changed. This particular function provides the ability todelete individual files or groups of files.

The file marking module 28 provides the functionality to manually mark afile which may be critical to the computer system. Through employment ofthe configuration directory check module described above, certain filesmay be designated as critical to the system. If there are other files inthe system that are critical but not identified as such, then the filemarking utility may be employed to mark those files. This causes thefile to be checked by the directory check module each time it is run. Ifthe directory check module detects tampering in a marked file, it willbe shown in a report for that particular run of the system. This utilitymay also be employed to unmark files previously marked.

The reporting module 29 provides the functionality to display to asystem user, the vulnerabilities and other items generated by thesecurity system. After modules have performed particular functions,reports may be generated which can then be presented to a system uservia the GUI.

The schedule module 32 provides the functionality to run security checksat predetermined intervals. Checks can be scheduled to run at specificdesignated times as well as at regular intervals such as monthly orweekly. The schedule module further provides the flexibility to runindividual security modules or all tests.

In operation, the security system is initially installed on the computersystem. After installation, the configuration setup module 17 will runand perform an evaluation of the computer system. Once this evaluationis complete, this information is stored in memory, and the other modulesmay be accessed and their functions performed.

In order for the system to perform the functions described herein, anumber of different system user interaction devices may be employed. Asa first example, a series of screen displays may be presented throughthe GUI which a system user may interact with in order to activate ordeactivate particular functions. Further, options may be providedthrough the GUI to run individual modules of the system, or all securitymodules, schedule the operation of the modules, and to receive inputfrom the system user during the operation of the security system. Forexample, disclosed in FIG. 8 is an example of a screen display which maybe employed to activate the individual modules of the security system.

As can be seen in the display graphic 90, three separate interfacebuttons are provided so that a system user may select the modules thatwill be employed in the analysis of the system. For example, if securitybutton 92 is pressed, the selections enclosed in the dialogue box 98 arepresented. As can be seen, these include the directory check, passwordcheck, network check, integrity check, and user check functions. Usermay select the processes to be performed and through selection of theexecute button 100 execute these selected functions.

In a situation where the utilities button 96 is selected from thedisplay graphic 90, the file removal and file marking options will bepresented to the system user. Upon selection of the reports button 94,the system user may then initiate the process of reporting or schedulingfunctions.

If the security button is chosen, the system user may then choose any ofthe security functions. For example, if the directory check function ischosen in dialogue box 98, the directory check module 18 is initiated inthe system and the steps disclosed in the flowchart of FIG. 9 areperformed.

Once the directory check process has been initiated, the first step isto access files in the file system database. Files selected aretypically used files residing in a public binary executable directory orcommon directories where insecurities may exist. The first step in theprocess is to access the first file in the file system. At this point, aquery is made as to whether the file is a directory or not. If the fileis a directory, further queries are made as to whether the file is a newfile system, and if so, whether it is traversable. If the answer is yesto both queries, the directory is accessed and the files containedtherein may be analyzed. If the new file system is not accessible, thefunction is terminated. If it is first determined that the directory isan old file system it is accessed and the files contained therein areanalyzed.

If the file is not a directory, a query is made as to whether the fileis “end of directory”. If so, the function is terminated. If the file isnot an end of directory, a query is made as to whether the file is adevice driver, in the baseline database, or is an executable file. Ifthe answer is “no” to all these queries, this portion of the process isterminated and the next file in sequence is accessed. If a “yes” isdetermined for any of the queries, an analysis is then performed as towhether the permissions for the file are secure. As was described above,the tests performed include identification of: globally read/writabledirectories, executable files that can be globally modified, protectedfiles that have changed permission, newly created files, protected filesthat have changed ownership or group, protected files that have beendeleted, protected files that have been tampered with, incorrect devicedriver permissions, tamper device driver permissions, incorrect deviceownership, and insecure permissions or ownership of operating systemfiles.

If an insecure permission is detected, the system then may provide areport. Depending on the permission problem detected, the system mayprovide the opportunity to correct it. These corrections are included aspart of the security system database. If permission is given to make thecorrection to the system, the correction is performed and the processreturns to the next file in the file system.

If the system user wishes to initiate the user check function, the stepsdisclosed in the flow chart of FIG. 10 are performed. In the initialstep, the password file for the users is first loaded. At this point,the first user on the list is identified. Within the computer system,users may be assigned a home directory in which all files related to orcreated by the particular user may be stored. A query is first made asto whether the user owns the home directory. If the user does not ownthe home directory, a report is generated and the process moves on tothe next step. A query is then made as to whether the work group towhich the user is affiliated owns the home directory. If it is detectedthat the user's group does not own the home directory to which the useris associated, a report is generated.

In the next step, an analysis is made to determine if the home directoryfor the user even exists. If this directory does not exist, a report isissued. In the next two steps, an analysis is made as to certain aspectsof the user's account and access to the system. In either case, if thepermissions provided to the user are found to be insecure, reports areissued. Once the analysis of the particular user is complete, theprocess returns to the top and the next user on the list is analyzed.

Disclosed in FIG. 11 is a flow chart which describes the operation ofthe integrity checker, when selected by the system user or otherwiseautomatically initiated. The first step in the process is to load thevulnerability database which contains a listing of possiblevulnerabilities or discrepancies. The first file from the computersystem database is then loaded and the analysis is begun. A first querymade is to whether the detected owner of the file matches apredetermined profile. If not, this discrepancy is noted and the nextentry in the database is loaded. If the response is yes, in the nextstep a query is made as to whether the file's group matches apredetermined profile. If not, the next entry in the database is loaded.If the answer is yes, a query is then made as to whether the filepermissions match the profile. If they don't, this is noted and the nextentry in the database is loaded. But if they do match, a query is madein the final step as to whether the file date predates a match. If theanswer is no, the next entry in the database is loaded. If the answer isyes, a report is generated regarding the possible existence of avulnerability. At the completion of the analysis of the database, areport is generated which lists all discrepancies or vulnerabilitieswhich were noted.

Disclosed in FIG. 12 is a flow chart which describes the operation ofthe network checking module when selected by the system user orotherwise automatically initialized. This module is employed to checkfor vulnerabilities which may occur due to the connection of a server orcomputer to a data network such as a LAN or the worldwide network. Inthe first step, an analysis is performed to determine if the system isrunning in the promiscuous mode. This mode allows the machine to see allnetwork packets transmitted in the network, rather than just thosepackets destined for the machine. If it is, a report is generated. Inthe next step, an analysis is performed of the various configurationfiles to note any insecurities. In the final step, a portscan isperformed on all or a designated number of network access ports. Uponcompletion, a report may be generated and provided.

Disclosed in FIG. 13 is a flow chart which describes the operation ofthe password checking module when selected by the system user orotherwise automatically initiated. In the initial step the passwordinformation is loaded from the computer system working memory. A queryis made as to whether the password file is shadowed, and if so, thisfile is loaded as well. In the next step, similar salt entries are readfrom the dictionary stored in the system. The system employs “samesalting” so that there will only be a single “salt” attempt perdictionary. After a similar salt entry is chosen, the next 5,000 wordsfrom the dictionary are also read. If this is the password's first entrythrough the system, the GCOS password guessing process is alsoperformed. A word filtering process is then performed to generatepseudowords that are often used as passwords. Once this process isperformed, a query is made as to whether the password is in the list ofwords generated above. If the word is in the list, a query is made as towhether the word from the list is in the password. If the word is in thepassword, the user is removed from the list. If the word is not in thepassword, the word is removed from the list.

Once a word is removed from the list, a query is made as to whetherthere are any words left in the dictionary to employ for the analysis.If yes, the above process is then performed for the words that are left.If the answer is no, it is determined that the password is uncrackableaccording to the processes described above and a query is made as towhether this is the last user to be analyzed. If the answer is no, thenword list is reset to the beginning.

With regard to activating the utility modules, button 94 in the screendisplay of FIG. 4 may be selected by a system user. Upon selection ofthis button, a listing of the utilities modules is provided. The systemuser may then select one or more utility modules to run.

Disclosed in FIG. 14 is a flow chart which describes the operation ofthe file removal module 27. As described above, this module provides theability to completely delete selected files so that they are notrecoverable. Once a file has been identified for removal by the systemuser, the file removal process may be initiated. The system user mayselect a file or files to be deleted by viewing a directory listing onthe display screen. Once a file has been selected, an analysis isperformed to determine whether this is a file which may be erased. Forexample if the file passed to the removal module isn't a direct filename(i.e., it contains “..” or “.” as a path, possibly to fool the systeminto wiping out a device instead of a file), the file removal modulewill not erase the file. If the file is not erasable, the program isterminated.

If it is determined that the file is overwritable, the module thenoverwrites the file with a specified bit pattern. For example, thispattern may be “0101”. Once this is complete, the file system issynchronized in order to force data to be written to the drive. The fileis reread back to check for differences. At this point a query is madeas to whether the file has changed to the designated bit pattern. Ifnot, a report failure to override is provided. If the override wassuccessful, this process may then be repeated a number of times withdifferent bit patterns. This file may then be overridden with text suchas “the quick brown fox jumps over the lazy dog” in order to simulate“non-sensitive” information. The final step in the process is to unlinkthe file from the volume table of contents. At this point the programmay be terminated.

Disclosed in FIG. 15 is a flow diagram which describes the operation ofthe file marking module 28 when selected by the system user. As wasdescribed above, this utility is employed when a file is determined tobe critical but is not otherwise marked by one of the securityfunctions. This utility also includes the functionality to unmark files.In the first step the file is selected from memory. As with the fileremoval module, the system user may view a directory and makeselections. The database of the host's security checksum is then loaded.If a file is to be marked, the marked file is added to the end of thechecksum file. If it is to removed, it removed from the database. Thedatabase is then resaved.

Also, as part of the utility modules, a system user may schedule theperformance of any of the functions performed by the security modules orthe utility modules. Upon the selection of a schedule option, a varietyof further screens may be presented which provide the system user thechoices of one or more modules scheduled, the date which the functionswill be performed and the time during the dates which they will beperformed. Further options may be provided such as periodic activationof the functions, one time activations of the functions, or thecombination of various security and utility modules.

Returning again to FIG. 8, if the system user selects the reports button94, at least one option is provided. A first option may be to generatereports for any individual security module, or a combination of modules.An option may also be provided for archiving and accessing archivereports. In the situation where a system user is to generate a report,certain options may be provided through the graphical interface, as tothe format of the reports. The system user may also be provided theopportunity to edit and print reports.

The foregoing description of the present invention has been presentedfor purposes of illustration and description. Furthermore, thedescription is not intended to limit the invention to the form disclosedherein. Consequently, variations and modifications commensurate with theabove teachings, and the skill or knowledge of the relevant art, arewithin the scope of the present invention. The embodiments describedhereinabove are further intended to explain best modes known forpracticing the invention and to enable others skilled in the art toutilize the invention in such, or other, embodiments and with variousmodifications required by the particular applications or uses of thepresent invention. It is intended that the appended claims be construedto include alternative embodiments to the extent permitted by the priorart.

1. A computer security system, comprising: a configuration/set-up modulethat operates under direction of a processor of a computer system andthat identifies security critical files of the computer system; adirectory checking module that operates under direction of the processorand that identifies unauthorized changes to the security critical files;and a user manager module that operates under direction of the processorand that identifies unauthorized access to the security critical files.2. The computer security system of claim 1, further comprising anintegrity checking module that operates under direction of the processorand that identifies one or more files stored in memory that correspondto one or more files in a database of known security threats.
 3. Thecomputer security system of claim 2, further comprising a file removalmodule that operates under direction of the processor and that removesthe files from the memory when corresponding to the files in thedatabase.
 4. The computer security system of claim 1, the computersystem comprising a data network.
 5. The computer security system ofclaim 4, further comprising a network checking module that operatesunder direction of the processor and that detects excessive systemservice use on at least one access port of the network.
 6. The computersecurity system of claim 1, further comprising a password checkingmodule that operates under direction of the processor and that (a) teststhe integrity of user passwords and (b) identifies weak user passwords.7. The computer security system of claim 1, further comprising areporting module that operates under direction of the processor and thatprovides status information pertaining to the computer security systemto a system administrator.
 8. The computer security system of claim 1,further comprising at least one graphical user interface through which auser may command the processor.
 9. The computer security system of claim1, further comprising a file marking module that operates underdirection of the processor and that facilitates selection or deselectionof the security critical files.
 10. The computer security system ofclaim 1, further comprising a scheduling module that operates underdirection of the processor and that facilitates execution scheduling ofone or more of the modules.
 11. The computer security system of claim 1,the computer system comprising a UNIX server.
 12. A software productcomprising instructions, stored on computer-readable media, wherein theinstructions, when executed by a computer, perform steps for identifyingand removing unwanted users from computer resources, comprising:instructions for identifying security critical files; instructions foridentifying unauthorized changes or unauthorized access to the securitycritical files; instructions for detecting excessive system service use;instructions for testing the integrity of user passwords or foridentifying weak user passwords; and instructions for reporting theunauthorized changes, unauthorized access, excessive system service useor weak user passwords to a system administrator.
 13. The softwareproduct of claim 12, further comprising instructions for identifyingcorrective measures.
 14. The software product of claim 13, furthercomprising instructions for initiating the corrective measures.
 15. Thesoftware product of claim 12, further comprising instructions forblocking the unauthorized changes, unauthorized access, excessive systemservice use or weak user passwords.
 16. The software product of claim12, wherein the instructions for reporting further comprise instructionsfor displaying a result on a graphical user interface.
 17. A method ofanalyzing and protecting the security of a local area network (LAN),comprising: directing a computer processor to execute a passwordchecking module that carries out the steps of: retrieving user passwordsfrom a database; comparing the user passwords to a word list; comparingthe user passwords to pseudo words generated by a word filteringprogram; and identifying the user passwords that match the word list orthe pseudo words as potential security threats.
 18. The method of claim17, further comprising the step of notifying users who have selected theuser passwords that are potential security threats.
 19. The method ofclaim 17, further comprising the step of removing access privileges fromthe users who have selected the user passwords that are potentialsecurity threats.
 20. The method of claim 17, further comprising thestep of displaying a result.